• No results found

Computer Networks/DV2 Lab

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Computer Networks/DV2 Lab"

Copied!
13
0
0

Loading.... (view fulltext now)

Download now ( 13 Page )

Full text

(1)

Computer Networks/DV2 Lab

Room: BB 219 Additional Information:

http://www.fb9dv.uni-duisburg.de/ti/en/education/teaching/ss13/netlab

1. Practical Training:

Network planning and installation of a file server 2. Practical Training:

Web server installation and dynamic Web pages 3. Practical Training:

Installation and configuration of a Firewall 4. Practical Training:

Installation of a VPN for the connection of two networks 5. Practical Training:

Programming; Client/Server connection over Sockets 6. Practical Training:

Network Monitoring

Name:

Matriculation No.:

Supervisor Signature:

Contact: Joachim Zumbrägel BB 320

Tel: 0203/379-3978

E-Mail: joachim.zumbraegel@uni-due.de

Equipment for each group:

- 1 Server computer (OS: Windows Server 2008 Standard) - 1 Client computer (OS: Windows XP Professional) - 1 Computer as Router / Gateway (OS: Linux) - 1 Switch

- Network cables

1. Introduction

The most important characteristics of computer networks are security and reliability. A good example for higher level of security in computer networks is firewalls. They are usually placed between the network, which should be protected and the internet. However, when large networks are divided into smaller ones, additional firewalls could be set between the different subnets. These techniques provide higher security against external attacks, but none regarding internal problems, which are often caused by the network users.

The security of a computer network directly impacts its reliability. The network reliability depends on more than one point, however. For example, defect hardware or falsely configured software could influence the functionality, respectively the reliability of a network. The worst case would be a complete breakdown of the whole network. Therefore, a major task of a network administrator is to periodically check the network regarding security leaks or malfunctions. One way to perform these checks is to analyse the traffic of the network.

In this practical training we will be using the program "Wireshark" to aid us in analysing our network traffic.

(2)

2. Basics of Network Traffic Analysis

2.1 Network Sniffers

The software "Wireshark" belongs to the category of the so called

"sniffers" or "network sniffers", nevertheless it can be used for traffic analysis and traffic logging of LANs. "Wireshark" is an open source project released under the GNU General Public Licence. This piece of software offers a lot of functionalities which are not always easy to use if you don’t have at least basic knowledge about network sniffers and network protocols.

A network sniffer consists of a number of components. The underlying component is the capture driver, which is either directly connected to the NIC (Network Interface Card) driver or to the PPP-Adapter.

The capture driver copies all network packets into a buffer, where different filters could be defined in order to restrict capturing only to packets, which match certain criteria. In addition, a certain time frame could be defined or a limit could be set for the number of packets, which should be captured.

In this practical training WinPCap is used as the capture driver.

A decoding component is required for analysing the captured data. After decoding, single packets can be combined in Data Streams, i.e. all packets with the same source-IP-address, destination-IP-address and ports. Additionally, the use of DNS for mapping IP-addresses to names can be helpful for analysis.

Furthermore, there are a lot of other options and techniques, which are not used in our practical training and therefore not described here.

Fig. 2.1: Wireshark

2.2 Protocols and Layers

As previously mentioned, basic knowledge of network protocols is required, if one wants to work with a network sniffer program like

"Wireshark". The major protocols in use are described in this document.

Figure 2.2.1 shows, which protocols belong to which layer of the ISO/OSI Model.

(3)

Fig. 2.2.1: Protocols’ Layer

The different layers are described in details in Table 2.2 below.

Application Applications and network service programs, i.e.

PING, HTTP-Server, DNS, etc.

Transport TCP: Realizes a reliable byte stream between two processes and takes care that the data is transmitted in the right order and integrity.

UDP: Delivers Datagram without reliability

Network This layer has the following capabilities (independent of the hardware):

• Addressing across different physical nets

• Distributing the data over the physical connections

• Dividing the data in packets (picketing)

• Embedding the packets into frames (framing)

• Fragmenting of packets (if required)

• Assembling of the fragments on the target computer

Data-Link In this layer the packets are transferred from one NIC to another (NIC = Network Interface Card) Physical Layer The basic layer. Defines i.e. the transmission

medium and rules for the transmission of single Bits.

Table 2.2

Not only the knowledge of protocols is useful for network traffic analysis, but understanding of the communication between different layers as well. The basic idea of the ISO/OSI layers model is that only neighbouring layers are capable of communicating. For that reason the TCP does not take care how a connection was established (i.e. Ethernet or ISDN).

(4)

As you should already know, the data in each layer is encapsulated by a layer specific frame. The encapsulation principle is as follows:

Layer N (where N is a digit between 2 and 6) receives a packet from Layer N+1, processes it and encapsulates that packet with a header (and in some cases with a trailer). The last step is to deliver the newly encapsulated packet to Layer N-1.

Fig. 2.2.2: Packet Encapsulation

Fig. 2.2.2 shows the principle of packet encapsulation. Each layer stores in its packet header, layer specific information, in order for the packet to be processed correctly on the receiver’s side. It is possible to define different options for the packet within the header i.e. priority, time to live (TTL), special routes, etc.

2.3 Computer communication

A thing to consider before analysing the traffic of a network is how the computers are connected. If a direct physical connection through the same media or a connection via a HUB is established between the computers, then all computers are capable of receiving the complete network traffic.

However, if the computers are connected through a switch this is no longer the case, because switches are capable of analysing the packets

and therefore know, which computer is being addressed. Furthermore, a switch knows which computer is connected on which port. Using that information a switch passes packets only to the computer which is addressed. Therefore, a computer connected to a switch is never able to listen to the complete network traffic.

By use of the MAC1 address a network card is able to distinguish whether a received packet addresses the network card itself or another computer. If the received packet contains the MAC address of the network card, it is passed to the next higher protocol layer. All other packets are usually not accepted. Nevertheless the receiving of any packet is possible. For that the network card must be switched to a so called "Promiscuous Mode", which allows receipt of all packets and therefore traffic monitoring.

2.4 Header

For traffic analysis, headers of the different protocols are very important.

Figure 2.4 below describe the structure of the DIX Ethernet II Packet Frame. The numbers below each field represent the number of bytes each field occupies.

Preamble Destination Source Type Data Unit CRC

8 6 6 2 46 – 1500 4

Fig. 2.4: DIX Ethernet II Frame

The preamble is used for bit synchronization and consists of 8 Bytes.

The Destination and Source are MAC addresses of the receiver and sender respectively (example of a MAC address: 00-E0-7D-82-DD-86).

Because the values are given in hexadecimal code 6 bytes are used for each MAC address representation. The Type field is used for the distinction of higher protocols (i.e. 0x0800 for IP und 0x0806 for ARP).

Data Unit represents the actual data, which is allowed between 46 and 1500 bytes within a single frame. CRC (Cyclic Redundancy Check) is used to detect error that could occur during transmission.

1 MAC address (Media Access Control address) is a worldwide unique identification of a network adapter or network interface card (NIC).

(5)

2.5 ARP (Address Resolution Protocol)

ARP is used for mapping MAC addresses to IP addresses. The Address Resolution Protocol uses a mapping table for this task. Before a connection is established over the Ethernet, IP asks ARP for the MAC address of an IP address. At first, ARP looks into its mapping table if an appropriate entry exists, if not ARP sends a broadcast to all connected nodes in order to get this information from another node. The answer to this request is stored into the mapping table.

Fig. 2.5: Function of the ARP

2.6 IP (Internet Protocol)

The task of the Internet Protocol is to transport data packets from a sender to a destination over different networks. The transmission is packet oriented, connectionless and not guaranteed. This means that IP itself neither guarantees the receipt of a packet nor the right sequence of transmitted packets (i.e. packets can be lost due to network overload).

The maximum length of IP-packets is limited to 65 535 Bytes. Due to the fact that some nets (internetworking-components) are not able to handle such large packets the minimum length of an IP packet is defined by 576 Bytes. If a large packet is divided into smaller packets, it is called fragmentation. The procedure of rebuilding the large packet out of the smaller ones is called reassembling.

Host A

Checking ARP-Cache Append ARP entry Send ARP request

Send ARP answer

Append ARP entry Router

The figure below shows what an IP header consist of. The values in bracket next to each field are the number of Bits occupied by that field.

Version (4) IHL (4) Priority &

Type (8) Total Length (16) Identification (16) Flags (3) Fragment

Offset (13) Time to Live (8) Protocol (8) Header Checksum (16)

Source IP address (32) Destination IP address (32)

IP Options (0 or 32 if any) Padding Data (varies if any)

Fig. 2.6: IP Header

Version Version, i.e. IPv4 or IPv6

Internet Header Length Length of the Header in 32 Bit steps

Type of Service Service and transmission parameter. Hardly used.

Total Length Length of the Datagram, max. 64 kByte Identification Number for identification,

Flags Indicates if the datagram is fragmented or not Fragment Offset Defines the location of the fragment relative to the

beginning of the datagram.

Time to live (TTL) This number (max=255, typical = 128) defines how man router stations are allowed to pass. Each routers decrements the number by one. If TTL is zero the packet will be destroyed.

Protocol Defines the protocol of the higher protocol hierarchy i.e. UDP or TCP

Header Checksum Used for fault checking.

(6)

Source IP address Sender's IP address Destination IP address Receiver's IP address

IP Options Are used in order to adapt services for higher protocols, i.e. security requests of the receiver.

Length is not fixed.

Padding Since the IP options field varies in length depending on the configuration, we need to have this field set to occupy left over bits. This is because the header needs to be ended after a 32-bit word: no more, no less.

Data The data being sent

The next higher protocol level is the transport layer. There different protocols such as UDP, TCP and ICMP are located.

2.7 TCP (Transmission Control Protocol)

TCP is a connection oriented transport protocol for use in a packet switched network. The Transmission Control Protocol (TCP) is on top of the Internet Protocol (IP). It provides the functionality of the transport layer and establishes a secure connection between sender and receiver before data exchange. The data of the higher layers is not changed by TCP, but spanned and sent as single data packets, which can be up to 65 KBytes big.

Figure 2.7 illustrated how the TCP header is structured. Using port numbers for sender and receiver, TCP packets can be multiplexed. For each port number 2 bytes are reserved. The allocation of the numbers is dynamic. The data exchange between TCP and processes is handled by port numbers as well. For the sequence number 4 bytes are reserved.

The sequence number and the acknowledgement number are used for flow control and the order of the data packets. While the connection is established, a random number is generated and exchanged by sender and receiver. This number is called the initial sequence number and it will be incremented while data exchange. For the acknowledgement number, 4 bytes are reserved, which are used for receiving acknowledgement of each packet. The header length is also specified, because it is not fixed.

Source Port (16) Destination Port (16) Sequence Number (32)

Acknowledgement Number (32) Data

Offset

Reserved (6)

Flags

(6) Window (16)

Checksum (16) Urgent Pointer (16)

IP Options (0 or 32 if any) Padding Data (varies if any)

Fig. 2.7: TCP Header

Each field within the TCP header will not be further explained in this paper. More information can be found in:

"Computer Netzwerke", Anderw S. Tannenbaum, chapter 6.4

The end-to-end control uses a positive acknowledgement where all received packets are confirmed, the other packets will be resent. Using this mechanism a proper data exchange is warranted. The loss of data can be prevented by the flow control, because each data packet is numbered and confirmed. If a confirmation does not arrive in a specific time frame the packet is resent. If an error occurs the error mechanism is activated and requests the erroneous data again from the layers above.

2.8 UDP (User Datagram Protocol)

The User Datagram Protocol is a transport protocol (layer 4) of the OSI reference model and it provides a connectionless data exchange between computers.

UDP Source Port (16) UDP Destination Port (16) UDP Message Length (16) Checksum (16)

Data (varies if any) Fig. 2.8: UDP Header

(7)

UDP has a minimum of protocol mechanism and it does not guarantee the delivery of the datagram to the remote machine, nor does it provide mechanisms for detecting duplicates or sequence interchanges. Therefore the functional range of UDP is much smaller than TCP. It is restricted to transport service, connection multiplexing and error handling.

Regarding the transport service, correct data exchange is not assured using UDP, because it does not make use of any acknowledgement system. Therefore lost data packets cannot be resent. In contrast to TCP the UDP does not establish a connection between the machines, but it sends data packets through the network independent of each other.

On the top layer of the TCP/IP Model, the so called application layer, are the protocols of the well known applications like: HTTP, FTP, POP3, PING, DHCP, DNS etc.

To list the details of each protocol here, would go beyond the scope of the lab, but a short overview is very helpful for further understanding.

2.9 HTTP (Hyper Text Transfer Protocol)

HTTP is a general, stateless, object-oriented protocol for data communication within the World Wide Web (WWW). The HTTP is a straight forward protocol. It describes a defined set of messages and replies, which are used for client and server communication during an HTML session. For each request of a web browser to a web server for a new document, a new connection is established. HTTP serves the addressing of objects using URL (Uniform Resource Locator). It completes the interaction between clients and servers and provides the adjustment of the formats between them.

Example: http://www.uni-duisburg.de

2.10 FTP (File Transfer Protocol)

The File Transfer Protocol (FTP) is used for data exchange between different machines across the internet and for easier data handling. FTP is based on the TCP, which means it uses TCP as an under laying protocol. The data transfer is controlled by the local system. The user

rights on the remote system are dependent on the authentication using username and password.

Example:

ftp://ftp.uni-duisburg.de

Example with user identification:

ftp://user:password@ftp.uni-duisburg.de

2.11 PING (Packet Internet Grouper)

PING is a small program, which implements the echo protocol. It is used in order to test the availability of remote computers. Therefore the ICMP (Internet Control Message Protocol) sends a request and waits for its response. With the ping command it can be verified if a specific computer is connected to the internet or not. If there is no reply of the pinged computer within a specified timeframe, implies that the ping request cannot reach the machine or the machine cannot reply the ping, which means that this computer is switched off or is protected by a firewall.

3. Wireshark

Wireshark is a network packet analyzer. A network packet analyzer will attempt to capture network packets and tries to display that packet data as detailed as possible. You could think of a network packet analyzer as a measuring device used to examine what's going on inside a network cable, just like a voltmeter is used by an electrician to examine what's going on inside an electric cable (but at a higher level, of course).

3.1 Features

The following are some of the many features Wireshark provides:

• Capture live packet data from a network interface

• Display packets with very detailed protocol information

• Open and Save packet data captured

(8)

• Import and Export packet data from and to a lot of other cap- ture programs

• Filter packets on many criteria

• Search for packets on many criteria

• Colorize packet display based on filters

• Create various statistics

After we start the application Wireshark, by either double-click on the icon on the desktop or by navigating to Start → Programs → Wireshark

→ Wireshark, we can examine the application's interface.

Figure 3.1 shows the Wireshark's GUI (Graphical User Interface), which is divided in three frames:

• The upper pane is a list of the captured packets with a short description. By clicking on a packet the other two frames will print out some more information about that packet.

• The middle pane has a tree structure. It holds the information divided by protocols or more precisely the layers of a protocol family.

• The lowest pane shows the data of the chosen packet.

By clicking on different fields in the middle frame the corresponding data will be highlighted in the lowest frame.

Fig. 3.1: Wireshark GUI

3.2 Capturing Packets

To show the packets and the information concerning the data, the network traffic has to be captured first; therefore Wireshark uses the Capture drivers.

To begin capturing and select our capture interface we could either navigate to the Menu bar → Capture or we can use the first three buttons on the left hand side in the toolbar, as illustrated in Fig. 3.2.1.

Filter Toolbar

‘Packet List’ Pane

‘Packet Details’ Pane Applied Display Filter(s)

‘Packet Bytes’ Pane

(9)

Fig. 3.2.1: Start capturing

Now we can choose some capture options. If we go to Capture → Options… or click on the second icon from left to right in the toolbar, we access the Capture Options dialogue box, which is shown in Fig. 3.2.2.

Fig. 3.2.2: Capture Options

In the capture field we can define the Interface on which we want to capture traffic, the Buffer size of the captured data and some Capture Filters.

We can also capture traffic directly to a single or multiple files or we can tell Wireshark, in the Stop Capture field, to stop the capturing process after certain limit is reached.

3.3 Capture Filters

For analysing the captured traffic the filters are the tools, which aid us.

Capture filters are used when we want to limit the number of packets that we are capturing. You can set them up to show only special packets.

For example we may want to capture only ARP traffic or HTTP traffic or traffic coming only from our interface card. To emphasize their importance, imagine that within seconds some 10000 packets are captured and you want to find specific protocols or IP addresses. By use of a filter, one can easily limit the captured results to his desire.

Alternatively, the options in View → Coloring Rules… can be used to colorize packets which fit a certain pattern.

Another important option is Follow TCP Stream. You can find it under the Analyze menu. This feature allows the user to show up a contiguous data stream.

To open the default list of capture filters in Wireshark, go to:

Capture → Capture Filters… or you could also use the corresponding button on the toolbar. Fig. 3.3 shows how the Capture Filter dialogue box looks like.

(10)

Fig. 3.3: Capture Filters

The several tables below describe some frequently used capture filters:

[src|dst] host <ip-address|host-name>

This primitive allows you to filter on a host IP address or name. You can optionally precede the primitive with the keyword src|dst to specify that you are only interested in source or destination addresses. If these are not present, packets where the specified address appears as either the source or the destination address will be selected.

src host 192.168.1.1 Packets coming from 192.168.1.1 dst host 134.91.90.77 Packets going to 134.91.90.77 host 134.91.90.77 Packets coming from

and going to 134.91.90.77 src host www.uni-due.de Packets coming from

www.uni-due.de Table 3.3.1

List of Default Filters

Name of selected filter

Actual Filter string command of selected

filter

ether [src|dst] host <ehost>

This primitive allows you to filter on Ethernet host addresses. You can optionally include the keyword src|dst between the keywords ether and host to specify that you are only interested in source or destination ad- dresses. If these are not present, packets where the specified address appears in either the source or destination address will be selected.

ether src host

00:01:FF:22:B1:32 Packets coming from 00:01:FF:22:B1:32 ether dst host

00:01:FF:22:B1:32 Packets going to 00:01:FF:22:B1:32 ether host

00:01:FF:22:B1:32 Packets coming from and going to 00:01:FF:22:B1:32

Table 3.3.2

[tcp|udp] [src|dst] port <port>

This primitive allows you to filter on TCP and UDP port numbers. You can optionally precede this primitive with the keywords src|dst and tcp|udp which allow you to specify that you are only interested in source or destination ports and TCP or UDP packets respectively. The

keywords tcp|udp must appear before src|dst.

port 80

Packets coming from and going to port 80, independent if it uses TCP or UDP

tcp dst port 80 Packets going to TCP-Port 80 udp port 4987 Packets coming from

and going to UDP-Port 4987 Table 3.3.3

Table 3.3.4 below shows the logical operator used when defining capture filters in Wireshark.

(11)

Examples for logical expressions:

ip and less 80 IP packets equal or less than 80 Bytes

ether proto \ip && len > 512 Ethernet-Packets transporting IP packets, which are bigger than 512 Bytes

dst host 192.168.1.1 && port 80 Packets which have as destination 192.168.1.1 and are transmitted over port 80

Logical Operators:

&& Logical AND between 2 expressions

|| Logical OR between 2 expressions

! NOT operator

General declaration of logical output for Capture Filters

*(Everyting in square brackets “[ ]” means it is optional) [not] primitive (and | or) [not] primitive [!] primitive ( && | ||) [!] primitive

Table 3.3.4

3.4 Display Filters

Display filters allow you to concentrate on the packets you are interested in while hiding the currently uninteresting ones. They allow you to select packets by many different criteria.

Wireshark provides a simple but powerful display filter language. You can compare values in packets as well as combine expressions into more specific expressions.

Fig. 3.4: Display Filters

We could define filters directly to the Display Filter Toolbar or choose a filter from the "Expression…" dialog box as shown in Fig. 3.4.

Comparison operators in display filters:

Operator Analogue Meaning

eq == Equal

not ! Not

ne != Not Equal

gt > Greater Than

lt < Less Than

ge >= Greater then or Equal to

le <= Less than or Equal to

(12)

Syntax of display filters:

<protocol>.<element>.<subelement> <operator> <value>

An element is an available field name for filtering of the selected protocol. We can take a look at them by expanding the field for any protocol in the "Filter Expression" dialog box.

Examples: ip.addr eq 134.91.90.77 - displays all IP packets that have the address 134.91.90.77 as source or destination.

eth.src eq 00:01:FF:22:B1:32

- displays all Ethernet Frames that have a source station with MAC address 00:01:FF:22:B1:32

4. Exercises

In the document the ARP (Address Resolution Protocol) was explained.

With the use of the command: arp –a in the command prompt console, you get a print of the actual ARP table.

1. Try to find all IP addresses and the corresponding MAC addresses of all computers in your network.

Please write them down in the table below.

Keep in mind that the ARP table is not static. It contains only the addresses, which were required by an established

communication.

IP-Address MAC-Address

Server (Windows) Client (Windows) Firewall (Linux)

Now that you know all IP and MAC addresses you should take a look at the network traffic.

2. Start Wireshark, choose Capture → Options.

Set the capture to stop after 100 packets are captured.

While capturing you have to generate some traffic e.g. by accessing a website. Try to get familiar with the program by testing some functions. If you face any problems do not hesitate to ask.

3. Start Wireshark on the server computer.

The rest of the group should generate different traffic on the client computer.

For Example: accessing websites, FTP servers, Ping or telnet and so on. With the help of the data retrieved by Wireshark try to find out which services, which servers and which pages were accessed by the client computer.

(13)

It also works vice versa, starting Wireshark on the client and generating traffic from the server.

4. Since now you are able to identify the captured packets, we can take a look at the security aspects.

Once again start Wireshark and start monitoring the traffic.

The tutor will join your network and enter his email account (www.gmx.de). Try to get the password he is using for his email account.

Notes:

Literature:

Andrew S. Tanenbaum: „Computernetzwerke ", Prentice-Hall, 1998 W.E. Proebster:"Rechnernetze Technik Protkolle Systeme

Anwendungen", Oldenbourg 2002

Anatol Badbach, Erwin Hoffmann:"Technik der IP-Netze", Hanser 2001

Links:

http://www.wireshark.org/

http://www.wiresharktraining.com/resources.html http://wiki.wireshark.org/

http://www.wiresharktraining.com/

http://www.packet-level.com/

http://www.iana.org/

http://www.icir.org/enterprise-tracing/

References

Download now ( PDF - 13 Page - 758.14 KB )

Related documents

Institute of Dental and Craniofacial Research, National Institutes of Health, 2000.

Planning for the 1999 Iowa Oral Health Survey began in the spring of 1999 and included personnel from the Dental Health Bureau of the Iowa Department of Public Health,

Developing a Solution for Multimedia Home Networking

UPnP Control Point (DLNA) Device Discovery HTTP Server (DLNA, Chormecast, AirPlay Photo/Video) RTSP Server (AirPlay Audio) Streaming Server.. Figure 11: Simplified

Study on the Economic Contribution of the Software Industry in Lebanon

An analysis of the economic contribution of the software industry examined the effect of software activity on the Lebanese economy by measuring it in terms of output and value

Ecological and socio-economical thresholds of land and plant-community degradation in semi-arid Mediterranean areas of southeastern Spain

Scatter plot and linear regression fit between the long range spatial autocorrelation of NDVI (α-DFA) and bare soil rate (a) and species richness (b) obtained from 24 500-m

Chasing the rainbow: pleasure, sex-based sociality and consumerism in navigating and exiting the Irish Chemsex scene

Four basic themes emerged from the analysis; social and cyber arrangements within the Dublin Chemsex scene; poly drug use and experiences of drug dependence; drug and sexual

Fitting dynamic factor models to non-stationary time series

Motivated from the stationary case, we estimate the common components of our dynamic factor model by the eigenvectors of a consistent estimator of the now time-varying spectral

Embeddings of self-similar ultrametric Cantor sets

The authors revisited their construction in [10] for the transversals of substitution tilings which are particular self-similar ultrametric Cantor sets.. We remind the reader here

Effect of Processing Conditions on Properties of Fly ash-Epoxy Composite

(2010) Effect of Fly Ash Content on Friction and Dry Sliding Wear Behaviour of Glass Fibre Reinforced Polymer Composites - A Taguchi Approach. P HKTRSR and